Skip to content

OCPBUGS-56451: Use the ImageDigest SourcePolicy to configure image registry on bootstrap host #10073

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Nov 19, 2025
Merged

OCPBUGS-56451: Use the ImageDigest SourcePolicy to configure image registry on bootstrap host #10073

merged 4 commits into from
Nov 19, 2025

Conversation

@sadasu
Copy link
Contributor

@sadasu sadasu commented Nov 12, 2025

A new policy was added to the ImageDigestSource configuration that allows the user to specify policy when there is a failure pulling an image from the source.

Update the image registry configuration on the bootstrap host with this SourcePolicy.

@openshift-ci-robot openshift-ci-robot added jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. labels Nov 12, 2025
@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Nov 12, 2025

@sadasu: This pull request references Jira Issue OCPBUGS-56451, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (4.21.0) matches configured target version for branch (4.21.0)
  • bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @gpei

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

A new policy was added to the ImageDigestSource configuration that allows the user to specify policy when there is a failure pulling an image from the source.

Update the image registry configuration on the bootstrap host with this SourcePolicy.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci bot requested a review from gpei November 12, 2025 00:18
@sadasu sadasu force-pushed the fix-mirrorSourcePolicy branch from 52046fe to 99d43aa Compare November 12, 2025 00:18
@openshift-ci openshift-ci bot requested review from bfournie and javipolo November 12, 2025 00:20
@tthvo
Copy link
Member

tthvo commented Nov 12, 2025

/cc @patrickdillon

@openshift-ci openshift-ci bot requested a review from patrickdillon November 12, 2025 00:30
tthvo
tthvo reviewed Nov 12, 2025
View reviewed changes
Copy link
Member

@tthvo tthvo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I followed the below steps to test this PR:

  1. With the install-config block:

    imageDigestSources:
- mirrors:
  - ec2-xxx.compute-1.amazonaws.com:5000/ci-ln-wmr7tpk/release
  source: registry.build10.ci.openshift.org/ci-ln-wmr7tpk/release
  sourcePolicy: NeverContactSource
- mirrors:
  - ec2-xxx.compute-1.amazonaws.com:5000/ci-ln-wmr7tpk/release
  source: registry.build10.ci.openshift.org/ci-ln-wmr7tpk/stable

  2. Generating the ignition-configs:

    ./openshift-install create ignition-configs --dir=.

  3. Check the content of bootstrap ignition:

     cat ./bootstrap.ign | jq -r '.storage.files[] | select(.path=="/etc/containers/registries.conf") | .contents.source' | cut -d , -f2 | base64 -d

I did see the blocked field, but unfortunately, it is always false regardless of source policy. I have a few suggestions above that will help 🤔

@tthvo
Copy link
Member

tthvo commented Nov 12, 2025

With the suggestions above, I followed the same steps as #10073 (comment) and I can now see the correct registries.conf:

$ cat ./bootstrap.ign | jq -r '.storage.files[] | select(.path=="/etc/containers/registries.conf") | .contents.source' | cut -d , -f2 | base64 -d
[[registry]]
location = "registry.build10.ci.openshift.org/ci-ln-wmr7tpk/release"
insecure = false
mirror-by-digest-only = true
blocked = true

[[registry.mirror]]
location = "ec2-xxx.compute-1.amazonaws.com:5000/ci-ln-wmr7tpk/release"
insecure = false


[[registry]]
location = "registry.build10.ci.openshift.org/ci-ln-wmr7tpk/stable"
insecure = false
mirror-by-digest-only = true
blocked = false

[[registry.mirror]]
location = "ec2-xxx.compute-1.amazonaws.com:5000/ci-ln-wmr7tpk/release"
insecure = false

@gpei
Copy link
Contributor

gpei commented Nov 12, 2025

I did see the blocked field, but unfortunately, it is always false regardless of source policy.

+1, when the sourcePolicy is set to NeverContactSource to prevent pulling images from the original registry, the file /etc/containers/registries.conf on bootstrap remains in this state:

[root@ip-10-0-59-60 ~]# cat /etc/containers/registries.conf
[[registry]]
location = "registry.build10.ci.openshift.org/ci-ln-sp22d22/release"
insecure = false
mirror-by-digest-only = true
blocked = false

[[registry.mirror]]
location = "xx/ci-ln-sp22d22/release"
insecure = false


[[registry]]
location = "registry.build10.ci.openshift.org/ci-ln-sp22d22/stable"
insecure = false
mirror-by-digest-only = true
blocked = false

[[registry.mirror]]
location = "xx/ci-ln-sp22d22/release"
insecure = false

@sadasu
Update image registry configuration on bootstrap host
58df567 
A new policy was added to the ImageDigestSource configuration that
allows the user to specify policy when there is a failure pulling
an image from the source.

Update the image registry configuration on the bootstrap host with
this SourcePolicy.
@sadasu
Update Image registry configuration for image based install
fb38639 
Update the image registry configuration with the newly added
Image source policy field that specifies the fallback policy
when image pull fails.
@sadasu
Update Image registry configuration during ABI
a27c0c7 
With the introduction of the fallback source policy when Image
source and mirrors are specified, image registry configuration
for ABI should be update to include that.
@sadasu sadasu force-pushed the fix-mirrorSourcePolicy branch from 99d43aa to 7f87dd6 Compare November 13, 2025 22:31
tthvo
tthvo reviewed Nov 14, 2025
View reviewed changes
@tthvo
Copy link
Member

tthvo commented Nov 14, 2025

Side note: I just realized we can use struct as key in golang https://go.dev/blog/maps 🤣 wow, so much more to learn haha

@sadasu sadasu force-pushed the fix-mirrorSourcePolicy branch from 7f87dd6 to be61527 Compare November 14, 2025 16:24
@sadasu sadasu force-pushed the fix-mirrorSourcePolicy branch from be61527 to 4752371 Compare November 14, 2025 17:22
@sadasu
Copy link
Contributor Author

sadasu commented Nov 14, 2025

@andfasano and @mresvanis could you PTAL?

@tthvo
Copy link
Member

tthvo commented Nov 14, 2025

/test e2e-aws-ovn

tthvo
tthvo reviewed Nov 14, 2025
View reviewed changes
Copy link
Member

@tthvo tthvo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

This worked for me 🥳 With the install-config snippet:

imageDigestSources:
- mirrors:
  - ec2-xxx.compute-1.amazonaws.com:5000/ci-ln-wmr7tpk/release
  source: registry.build10.ci.openshift.org/ci-ln-wmr7tpk/release
  sourcePolicy: NeverContactSource
- mirrors:
  - ec2-xxx.compute-1.amazonaws.com:5000/ci-ln-wmr7tpk/release
  source: registry.build10.ci.openshift.org/ci-ln-wmr7tpk/stable

The following bootstrap registry config is generated:

cat ./bootstrap.ign | jq -r '.storage.files[] | select(.path=="/etc/containers/registries.conf") | .contents.source' | cut -d , -f2 | base64 -d
[[registry]]
location = "registry.build10.ci.openshift.org/ci-ln-wmr7tpk/release"
insecure = false
mirror-by-digest-only = true
blocked = true

[[registry.mirror]]
location = "ec2-xxx.compute-1.amazonaws.com:5000/ci-ln-wmr7tpk/release"
insecure = false


[[registry]]
location = "registry.build10.ci.openshift.org/ci-ln-wmr7tpk/stable"
insecure = false
mirror-by-digest-only = true
blocked = false

[[registry.mirror]]
location = "ec2-xxx.compute-1.amazonaws.com:5000/ci-ln-wmr7tpk/release"
insecure = false

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Nov 14, 2025
@tthvo
Copy link
Member

tthvo commented Nov 16, 2025

/test e2e-aws-ovn

@gpei
Copy link
Contributor

gpei commented Nov 17, 2025

@tthvo Thanks for helping to verify the generated content of registry.conf in these two scenarios.
I made an additional verification step, which confirmed that when setting to 'block', the file ultimately created on the bootstrap node is expected and the container runtime are indeed unable to pull images from the blocked registry address.

[root@ip-10-0-52-101 ~]# cat /etc/containers/registries.conf
[[registry]]
location = "registry.build10.ci.openshift.org/ci-ln-52ibs72/release"
insecure = false
mirror-by-digest-only = true
blocked = true

[[registry.mirror]]
location = "ec2-xxx.compute-1.amazonaws.com:5000/ci-ln-52ibs72/release"
insecure = false


[[registry]]
location = "registry.build10.ci.openshift.org/ci-ln-52ibs72/stable"
insecure = false
mirror-by-digest-only = true
blocked = true

[[registry.mirror]]
location = "ec2-xxx.compute-1.amazonaws.com:5000/ci-ln-52ibs72/release"
insecure = false


[root@ip-10-0-52-101 ~]# crictl pull registry.build10.ci.openshift.org/ci-ln-52ibs72/release
E1117 03:17:43.722036    5257 log.go:32] "PullImage from image service failed" err="rpc error: code = Unknown desc = unable to pull image or OCI artifact: pull image err: initializing source docker://registry.build10.ci.openshift.org/ci-ln-52ibs72/release:latest: registry registry.build10.ci.openshift.org/ci-ln-52ibs72/release is blocked in /etc/containers/registries.conf or /root/.config/containers/registries.conf.d; artifact err: get manifest: build image source: registry registry.build10.ci.openshift.org/ci-ln-52ibs72/release is blocked in /etc/containers/registries.conf or /root/.config/containers/registries.conf.d" image="registry.build10.ci.openshift.org/ci-ln-52ibs72/release"
FATA[0000] pulling image: unable to pull image or OCI artifact: pull image err: initializing source docker://registry.build10.ci.openshift.org/ci-ln-52ibs72/release:latest: registry registry.build10.ci.openshift.org/ci-ln-52ibs72/release is blocked in /etc/containers/registries.conf or /root/.config/containers/registries.conf.d; artifact err: get manifest: build image source: registry registry.build10.ci.openshift.org/ci-ln-52ibs72/release is blocked in /etc/containers/registries.conf or /root/.config/containers/registries.conf.d 

[root@ip-10-0-52-101 ~]# podman pull registry.build10.ci.openshift.org/ci-ln-52ibs72/stable
Trying to pull registry.build10.ci.openshift.org/ci-ln-52ibs72/stable:latest...
Error: initializing source docker://registry.build10.ci.openshift.org/ci-ln-52ibs72/stable:latest: registry registry.build10.ci.openshift.org/ci-ln-52ibs72/stable is blocked in /etc/containers/registries.conf or /root/.config/containers/registries.conf.d

/verified by @gpei

@openshift-ci-robot openshift-ci-robot added the verified Signifies that the PR passed pre-merge verification criteria label Nov 17, 2025
@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Nov 17, 2025

@gpei: This PR has been marked as verified by @gpei.

In response to this:

@tthvo Thanks for helping to verify the generated content of registry.conf in these two scenarios.
I made an additional verification step, which confirmed that when setting to 'block', the file ultimately created on the bootstrap node is expected and the container runtime are indeed unable to pull images from the blocked registry address.

[root@ip-10-0-52-101 ~]# cat /etc/containers/registries.conf
[[registry]]
location = "registry.build10.ci.openshift.org/ci-ln-52ibs72/release"
insecure = false
mirror-by-digest-only = true
blocked = true

[[registry.mirror]]
location = "ec2-xxx.compute-1.amazonaws.com:5000/ci-ln-52ibs72/release"
insecure = false


[[registry]]
location = "registry.build10.ci.openshift.org/ci-ln-52ibs72/stable"
insecure = false
mirror-by-digest-only = true
blocked = true

[[registry.mirror]]
location = "ec2-xxx.compute-1.amazonaws.com:5000/ci-ln-52ibs72/release"
insecure = false


[root@ip-10-0-52-101 ~]# crictl pull registry.build10.ci.openshift.org/ci-ln-52ibs72/release
E1117 03:17:43.722036    5257 log.go:32] "PullImage from image service failed" err="rpc error: code = Unknown desc = unable to pull image or OCI artifact: pull image err: initializing source docker://registry.build10.ci.openshift.org/ci-ln-52ibs72/release:latest: registry registry.build10.ci.openshift.org/ci-ln-52ibs72/release is blocked in /etc/containers/registries.conf or /root/.config/containers/registries.conf.d; artifact err: get manifest: build image source: registry registry.build10.ci.openshift.org/ci-ln-52ibs72/release is blocked in /etc/containers/registries.conf or /root/.config/containers/registries.conf.d" image="registry.build10.ci.openshift.org/ci-ln-52ibs72/release"
FATA[0000] pulling image: unable to pull image or OCI artifact: pull image err: initializing source docker://registry.build10.ci.openshift.org/ci-ln-52ibs72/release:latest: registry registry.build10.ci.openshift.org/ci-ln-52ibs72/release is blocked in /etc/containers/registries.conf or /root/.config/containers/registries.conf.d; artifact err: get manifest: build image source: registry registry.build10.ci.openshift.org/ci-ln-52ibs72/release is blocked in /etc/containers/registries.conf or /root/.config/containers/registries.conf.d 

[root@ip-10-0-52-101 ~]# podman pull registry.build10.ci.openshift.org/ci-ln-52ibs72/stable
Trying to pull registry.build10.ci.openshift.org/ci-ln-52ibs72/stable:latest...
Error: initializing source docker://registry.build10.ci.openshift.org/ci-ln-52ibs72/stable:latest: registry registry.build10.ci.openshift.org/ci-ln-52ibs72/stable is blocked in /etc/containers/registries.conf or /root/.config/containers/registries.conf.d

/verified by @gpei

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@patrickdillon
Copy link
Contributor

patrickdillon commented Nov 18, 2025

/approve

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Nov 18, 2025

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: patrickdillon

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Nov 18, 2025
@andfasano
Copy link
Contributor

andfasano commented Nov 18, 2025

Changes look good also from ABI point of view

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Nov 18, 2025
edited
Loading

@sadasu: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-agent-two-node-fencing-ipv4 4752371 link false /test e2e-agent-two-node-fencing-ipv4

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Nov 18, 2025

/retest-required

Remaining retests: 0 against base HEAD ccad892 and 2 for PR HEAD 4752371 in total

@openshift-merge-bot openshift-merge-bot bot merged commit 02535f7 into openshift:main Nov 19, 2025
27 of 28 checks passed
@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Nov 19, 2025

@sadasu: Jira Issue Verification Checks: Jira Issue OCPBUGS-56451
✔️ This pull request was pre-merge verified.
✔️ All associated pull requests have merged.
✔️ All associated, merged pull requests were pre-merge verified.

Jira Issue OCPBUGS-56451 has been moved to the MODIFIED state and will move to the VERIFIED state when the change is available in an accepted nightly payload. 🕓

In response to this:

A new policy was added to the ImageDigestSource configuration that allows the user to specify policy when there is a failure pulling an image from the source.

Update the image registry configuration on the bootstrap host with this SourcePolicy.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-merge-robot
Copy link
Contributor

openshift-merge-robot commented Nov 23, 2025

Fix included in accepted release 4.21.0-0.nightly-2025-11-22-193140

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gpei gpei Awaiting requested review from gpei

@bfournie bfournie Awaiting requested review from bfournie

@javipolo javipolo Awaiting requested review from javipolo

@patrickdillon patrickdillon Awaiting requested review from patrickdillon

1 more reviewer

@tthvo tthvo tthvo left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@tthvo tthvo

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. lgtm Indicates that a PR is ready to be merged. verified Signifies that the PR passed pre-merge verification criteria

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

7 participants

@sadasu @openshift-ci-robot @tthvo @gpei @patrickdillon @andfasano @openshift-merge-robot